While being able to "look inside" compat expressions using nft is a nice
feature, it is also (yet another) pitfall for unaware users, deceiving
them into assuming interchangeability (or at least compatibility)
between iptables-nft and nft.
In reality, which involves 'nft list ruleset | nft -f -', any correctly
translated compat expressions will turn into native nftables ones not
understood by (the version of) iptables-nft which created them in the
first place. Other compat expressions will vanish, potentially
compromising the firewall ruleset.
Emit a warning (as comment) to give users a chance to stop and
reconsider before shooting their own foot.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
Sorry for the dup, forgot to Cc netfilter-devel.
---
include/rule.h | 1 +
src/rule.c | 16 +++++++++++++---
src/xt.c | 2 ++
3 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index ad9f912737228..00a1bac5a7737 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -169,6 +169,7 @@ struct table {
unsigned int refcnt;
uint32_t owner;
const char *comment;
+ bool has_xt_stmts;
};
extern struct table *table_alloc(void);
diff --git a/src/rule.c b/src/rule.c
index 1caee58fb7622..e9f9b232aa244 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1227,6 +1227,11 @@ static void table_print(const struct table *table, struct output_ctx *octx)
const char *delim = "";
const char *family = family2str(table->handle.family);
+ if (table->has_xt_stmts)
+ fprintf(octx->error_fp,
+ "# Warning: table %s %s is managed by iptables-nft, do not touch!\n",
+ family, table->handle.table.name);
+
nft_print(octx, "table %s %s {", family, table->handle.table.name);
if (nft_output_handle(octx) || table->flags & TABLE_F_OWNER)
nft_print(octx, " #");
@@ -2381,9 +2386,14 @@ static int do_list_tables(struct netlink_ctx *ctx, struct cmd *cmd)
static void table_print_declaration(struct table *table,
struct output_ctx *octx)
{
- nft_print(octx, "table %s %s {\n",
- family2str(table->handle.family),
- table->handle.table.name);
+ const char *family = family2str(table->handle.family);
+
+ if (table->has_xt_stmts)
+ fprintf(octx->error_fp,
+ "# Warning: table %s %s is managed by iptables-nft, do not touch!\n",
+ family, table->handle.table.name);
+
+ nft_print(octx, "table %s %s {\n", family, table->handle.table.name);
}
static int do_list_chain(struct netlink_ctx *ctx, struct cmd *cmd,
diff --git a/src/xt.c b/src/xt.c
index 789de9926261b..a54173522c229 100644
--- a/src/xt.c
+++ b/src/xt.c
@@ -238,6 +238,7 @@ void netlink_parse_match(struct netlink_parse_ctx *ctx,
stmt->xt.name = strdup(name);
stmt->xt.type = NFT_XT_MATCH;
#endif
+ ctx->table->has_xt_stmts = true;
rule_stmt_append(ctx->rule, stmt);
}
@@ -283,6 +284,7 @@ void netlink_parse_target(struct netlink_parse_ctx *ctx,
stmt->xt.name = strdup(name);
stmt->xt.type = NFT_XT_TARGET;
#endif
+ ctx->table->has_xt_stmts = true;
rule_stmt_append(ctx->rule, stmt);
}
--
2.34.1
